Monday Nov 26, 2012

It
is generally accepted among business communities that technology by itself is
not a silver bullet to all problems, but when it is combined with leading
practices, strategy, careful planning and execution, it can create a recipe for
success.This post attempts to highlight
some of the best practices along with dos & don’ts that our practice has accumulated
over the years in the identity & access management space in general, and
also in the context of R2, in particular.

Best Practices

The
following section illustrates the leading practices in “How” to plan, implement
and sustain a successful OIM deployment, based on our collective experience.

Planning is critical, but often overlooked

A
common approach to planning an IAM program that we identify with our clients is
the three step process involving a current state assessment, a future state
roadmap and an executable strategy to get there. It is extremely beneficial for
clients to assess their current IAM state, perform gap analysis, document the
recommended controls to address the gaps, align future state roadmap to
business initiatives and get buy in from all stakeholders involved to improve
the chances of success.

When
designing an enterprise-wide solution, the scalability of the technology must
accommodate the future growth of the enterprise and the projected identity transactions
over several years. Aligning the implementation schedule of OIM to related
information technology projects increases the chances of success.

As
a baseline, it is recommended to match hardware specifications to the sizing
guide for R2 published by Oracle. Adherence to this will help ensure that the
hardware used to support OIM will not become a bottleneck as the adoption of
new services increases. If your Organization has numerous connected
applications that rely on reconciliation to synchronize the access data into
OIM, consider hosting dedicated instances to handle reconciliation. Finally, ensure the use of clustered
environment for development and have at least three total environments to help
facilitate a controlled migration to production.

If
your Organization is planning to implement role based access control, we
recommend performing a role mining exercise and consolidate your enterprise
roles to keep them manageable. In addition, many Organizations have multiple
approval flows to control access to critical roles, applications and
entitlements. If your Organization falls into this category, we highly
recommend that you limit the number of approval workflows to a small set.

Most
Organizations have operations managed across data centers with backend database
synchronization, if your Organization falls into this category, ensure that the
overall latency between the datacenters when replicating the databases is less
than ten milliseconds to ensure that there are no front office performance
impacts.

Ingredients for a successful implementation

During
the development phase of your project, there are a number of guidelines that
can be followed to help increase the chances for success.

Most
implementations cannot be completed without the use of customizations.If your implementation requires this, it’s a
good practice to perform code reviews to help ensure quality and reduce code
bottlenecks related to performance. We have observed at our clients that the
development process works best when team members adhere to coding leading practices.
Plan for time to correct coding defects
and ensure developers are empowered to report their own bugs for maximum
transparency.

Many
organizations struggle with defining a consistent approach to managing logs.This is particularly important due to the amount
of information that can be logged by OIM. We recommend Oracle Diagnostics
Logging (ODL) as an alternative to be used for logging. ODL allows log files to
be formatted in XML for easy parsing and does not require a server restart when
the log levels are changed during troubleshooting.

Testing
is a vital part of any large project, and an OIM R2 implementation is no
exception. We suggest that at least one lower environment should use production-like
data and connectors.Configurations
should match as closely as possible.For
example, use secure channels between OIM and target platforms in pre-production
environments to test the configurations, the migration processes of
certificates, and the additional overhead that encryption could impose.

Finally,
we ask our clients to perform database backups regularly and before any major change
event, such as a patch or migration between environments. In the lowest
environments, we recommend to have at least a weekly backup in order to prevent
significant loss of time and effort. Similarly, if your organization is using
virtual machines for one or more of the environments, it is recommended to take
frequent snapshots so that rollbacks can occur in the event of improper
configuration.

Operate &
sustain the solution to derive maximum benefits

When
migrating OIM R2 to production, it is important to perform certain activities
that will help achieve a smoother transition. At our clients, we have seen that
splitting the OIM tables into their own tablespaces by categories (physical tables,
indexes, etc.) can help manage database growth effectively. If we notice that a client hasn’t enabled the
Oracle-recommended indexing in the applicable database, we strongly suggest doing
so to improve performance. Additionally,
we work with our clients to make sure that the audit level is set to fit the organization’s
auditing needs and sometimes even allocate UPA tables and indexes into their
own table-space for better maintenance. Finally, many of our clients have set
up schedules for reconciliation tables to be archived at regular intervals in
order to keep the size of the database(s) reasonable and result in optimal
database performance.

For
our clients that anticipate availability issues with target applications, we
strongly encourage the use of the offline provisioning capabilities of OIM R2. This
reduces the provisioning process for a given target application dependency on target
availability and help avoid broken workflows. To account for this and other
abnormalities, we also advocate that OIM’s monitoring controls be configured to
alert administrators on any abnormal situations.

Within
OIM R2, we have begun advising our clients to utilize the ‘profile’ feature to encapsulate
multiple commonly requested accounts, roles, and/or entitlements into a single
item. By setting up a number of profiles that can be searched for and used,
users will spend less time performing the same exact steps for common tasks.

We
advise our clients to follow the Oracle recommended guides for database and
application server tuning which provides a good baseline configuration. It offers guidance on database connection
pools, connection timeouts, user interface threads and proper handling of
adapters/plug-ins.All of these can be
important configurations that will allow faster provisioning and web page
response times.

Many
of our clients have begun to recognize the value of data mining and a remediation
process during the initial phases of an implementation (to help ensure high quality
data gets loaded) and beyond (to support ongoing maintenance and
business-as-usual processes). A successful program always begins with
identifying the data elements and assigning a classification level based on
criticality, risk, and availability.It
should finish by following through with a remediation process.

Dos & Don’ts

Here
are the most common dos and don'ts that we socialize with our clients, derived from
our experience implementing the solution.

Dos

Don’ts

Scope the project into
phases with realistic goals. Look for quick wins to show success and value to
the stake holders.

Avoid “boiling the ocean” and trying to integrate
all enterprise applications in the first phase.

Establish an enterprise ID (universal unique ID
across the enterprise) earlier in the program.

Avoid major UI
customizations that require code changes.

Have a plan in place to
patch during the project, which helps alleviate any major issues or roadblocks
(product and database).

Avoid
publishing all the target entitlements if you don't anticipate their usage
during access request.

Assess your current state
and prepare a roadmap to address your operations, tactical and strategic
goals, align it with your business priorities.

Identify the owner of the identity systems with
fair IdM knowledge and empower them with authority to make product related
decisions. This will help ensure overcome any design hurdles.

Avoid
creating complex designs that are not sustainable long term and would need
major overhaul during upgrades.

Shadow your internal or external consulting resources
during the implementation to build the necessary product skills needed to
operate and sustain the solution.

Avoid treating IAM
as a point solution and have appropriate level of communication and training
plan for the IT and business users alike.

Conclusion

In our experience, Identity programs will struggle
with scope, proper resourcing, and more.We suggest that companies consider the suggestions discussed in this
post and leverage them to help enable their identity and access program. This
concludes PwC blog series on R2 for the month and we sincerely hope that the information
we have shared thus far has been beneficial.

For more information or if you have questions, you can
reach out to Rex Thexton, Senior Managing Director, PwC and or Dharma Padala, Director, PwC. We look forward to hearing from
you.

Meet
the Writers:

Dharma Padala is a
Director in the Advisory Security practice within PwC. He has been
implementing medium to large scale Identity Management solutions across
multiple industries including utility, health care, entertainment, retail and
financial sectors. Dharma has 14 years of experience in
delivering IT solutions out of which he has been implementing Identity Management
solutions for the past 8 years.

Praveen
Krishna is
a Manager in the Advisory Security practice within PwC. Over the
last decade Praveen has helped clients plan, architect and implement Oracle
identity solutions across diverse industries. His experience includes
delivering security across diverse topics like network, infrastructure,
application and data where he brings a holistic point of view to problem
solving.

Scott MacDonald is a
Director in the Advisory Security practice within PwC. He has consulted
for several clients across multiple industries including financial services,
health care, automotive and retail. Scott has 10 years of
experience in delivering Identity Management solutions.

John Misczak is a
member of the Advisory Security practice within PwC. He has experience
implementing multiple Identity and Access Management solutions, specializing
in Oracle Identity Manager and Business Process Engineering Language (BPEL).